Cyber Posture

CVE-2024-26153

High

Published: 17 January 2025

Published
17 January 2025
Modified
30 July 2025
KEV Added
Patch
CVSS Score 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
EPSS Score 0.0016 37.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-26153 is a high-severity CSRF (CWE-352) vulnerability in Etictelecom Remote Access Server Firmware. Its CVSS base score is 7.4 (High).

Operationally, ranked at the 37.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match
prevent

SC-23 directly protects against CSRF attacks by requiring mechanisms such as unique session tokens to validate the authenticity of state-changing requests like the vulnerable 'setconf' method.

SI-10 Information Input Validation good match
prevent

SI-10 mandates validation of information inputs, including CSRF tokens on the 'setconf' endpoint, to reject forged requests from external attackers.

AC-3 Access Enforcement partial match
prevent

AC-3 enforces access control policies that can incorporate CSRF token checks to prevent unauthorized execution of the 'setconf' method via user interaction tricks.

NVD Description

All versions of ETIC Telecom Remote Access Server (RAS) prior to 4.9.19 are vulnerable to cross-site request forgery (CSRF). An external attacker with no access to the device can force the end user into submitting a "setconf" method request, not…

more

requiring any CSRF token, which can lead into denial of service on the device.

Deeper analysisAI

CVE-2024-26153 is a cross-site request forgery (CSRF) vulnerability, classified under CWE-352, affecting all versions of ETIC Telecom Remote Access Server (RAS) prior to 4.9.19. The issue stems from the "setconf" method request lacking any CSRF token requirement, allowing forged requests to be processed.

An external attacker requires no access or privileges on the device (PR:N) and can exploit this over the network (AV:N) with low complexity (AC:L), but it demands user interaction (UI:R). By tricking an authenticated end user into submitting the forged request—such as via a malicious webpage—the attacker achieves a denial of service (A:H) on the device, with a changed scope (S:C) and no impact on confidentiality or integrity (C:N/I:N). The CVSS v3.1 base score is 7.4.

The CISA ICS Advisory ICSA-22-307-01 provides further details on this vulnerability at https://www.cisa.gov/news-events/ics-advisories/icsa-22-307-01. Updating to ETIC Telecom RAS version 4.9.19 or later addresses the issue.

Details

CWE(s)
CWE-352

Affected Products

etictelecom
remote access server firmware
≤ 4.9.19

CVEs Like This One

CVE-2024-26155Same product: Etictelecom Remote Access Server Firmware
CVE-2026-28495Shared CWE-352
CVE-2025-22343Shared CWE-352
CVE-2025-30564Shared CWE-352
CVE-2025-26543Shared CWE-352
CVE-2025-25907Shared CWE-352
CVE-2025-31616Shared CWE-352
CVE-2025-31449Shared CWE-352
CVE-2026-5791Shared CWE-352
CVE-2025-23990Shared CWE-352

References